The "Permission denied (publickey)" error occurs when SSH cannot verify your identity using public key authentication. This typically results from missing SSH keys, incorrect file permissions, or the public key not being registered on the server.
SSH uses public key cryptography for passwordless authentication. When you attempt to connect to a server, SSH tries to authenticate using your private key and verifies it against the public key stored in the server's ~/.ssh/authorized_keys file. The "Permission denied (publickey)" error means the server rejected your authentication attempt because: 1. Your private key doesn't exist or couldn't be read 2. Your public key isn't in the server's authorized_keys file 3. File permissions are incorrect (SSH is very strict about this) 4. You're connecting with the wrong username or to the wrong host 5. The SSH agent (if used) doesn't have your key loaded This is a security feature—SSH fails closed to prevent unauthorized access.
Check if you have SSH keys on your local machine:
ls -la ~/.ssh/Look for files like id_rsa (private key) and id_rsa.pub (public key). If they don't exist, generate a new key pair:
ssh-keygen -t ed25519 -C "[email protected]"Press Enter to accept the default location (~/.ssh/id_ed25519) and optionally set a passphrase.
SSH is very strict about file permissions. Incorrect permissions will cause this error:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
chmod 644 ~/.ssh/known_hosts # if it exists
chmod 600 ~/.ssh/config # if it existsVerify the permissions are correct:
ls -la ~/.ssh/Expected output:
- drwx------ (700) for ~/.ssh
- -rw------- (600) for private keys
- -rw-r--r-- (644) for public keys
The easiest way is using ssh-copy-id:
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@remote-hostReplace user with the correct username and remote-host with the server address.
If ssh-copy-id is not available, manually add it:
1. View your public key:
cat ~/.ssh/id_rsa.pub2. Copy the entire output (starts with ssh-rsa or ssh-ed25519)
3. Log into the server with password authentication (if available):
ssh user@remote-host4. On the server, ensure the ~/.ssh directory exists and has correct permissions:
mkdir -p ~/.ssh
chmod 700 ~/.ssh5. Append your public key:
echo "your-public-key-here" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys6. Exit the server and try connecting again.
If you have multiple SSH keys, SSH might be trying the wrong one first. Use the -v flag to see which key is being used:
ssh -v user@remote-hostLook for lines like:
Trying private key: /home/user/.ssh/id_rsaIf it's trying the wrong key, explicitly specify the correct one:
ssh -i ~/.ssh/id_ed25519 user@remote-hostTo make this the default for a specific host, add it to your SSH config (~/.ssh/config):
Host remote-host
User user
IdentityFile ~/.ssh/id_ed25519
IdentitiesOnly yesLog into the remote server (using password auth if available) and verify your public key is there:
cat ~/.ssh/authorized_keysYour public key should appear as a single line starting with ssh-rsa or ssh-ed25519. If it's missing, add it using the steps above.
Also verify file permissions on the server:
ls -la ~/.ssh/authorized_keysShould be -rw------- (600) or -rw-r--r-- (644). If permissions are wrong:
chmod 600 ~/.ssh/authorized_keysIf none of the above worked, use maximum verbosity to see exactly where the authentication is failing:
ssh -vvv user@remote-hostCommon output patterns and what they mean:
"No more authentication methods to try"
- All authentication methods failed; the public key wasn't accepted
"Authentications that can continue: publickey"
- Server requires publickey auth, but your key was rejected
"No identity files matched"
- SSH couldn't find any keys in the expected locations
"Permission denied" after "Offering public key"
- Key was found but doesn't match what's in authorized_keys on the server
Check the server logs too (if you have access):
sudo tail -f /var/log/auth.log | grep sshLook for messages like "Invalid user", "Authentication refused", or "key_type not in PubkeyAcceptedAlgorithms".
SSH Agent and Key Loading: If you're using ssh-agent to manage multiple keys, ensure your key is loaded:
# Start the agent if not running
eval "$(ssh-agent -s)"
# Add your key
ssh-add ~/.ssh/id_ed25519
# List loaded keys
ssh-add -lDifferent Key Types: Modern SSH prefers Ed25519 keys over RSA. When generating new keys, use ssh-keygen -t ed25519. However, ensure the server supports your key type. For compatibility with older servers, RSA (4096-bit) is usually safe.
GitHub-Specific: If connecting to GitHub, ensure you're using the correct host:
ssh -T [email protected]Rootless/Unprivileged SSH: If running sshd as a non-root user, the standard ~/.ssh paths may not work. Check the server's sshd_config for AuthorizedKeysFile setting.
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
How to fix SSH man-in-the-middle attack warning in SSH
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
How to fix "WARNING: UNPROTECTED PRIVATE KEY FILE!" in SSH
sign_and_send_pubkey: no mutual signature supported
How to fix "sign_and_send_pubkey: no mutual signature supported" in SSH
Bad owner or permissions on /home/user/.ssh/known_hosts
How to fix "Bad owner or permissions on known_hosts" in SSH
It is required that your private key files are NOT accessible by others.
How to fix "private key files are NOT accessible by others" in SSH